How strong is your password?

June 7, 2007

Donncha

No matter how good the software running on a website is, there is always the human factor. If your password is “test”, “1234”, “qwerty” or anything obvious then you are putting your blog at risk of having it hacked. For that reason the password change form on the profile page now checks how strong your password is.

A password can have four levels of strength:

Too short

Bad

Good

Strong

Please try to make your passwords “strong”, but we’ll accept “good” passwords too. It makes it a bit harder to change your password but the extra effort is worth it.

We’re using this code by Phiras. Thank you Phiras for making it available! I’m going to integrate this into WPMU soon as strong passwords are so important for site security.

Wow! It’s ages since I’ve made a post about a new feature here. There’s a good reason for that. My wonderful son Adam was born on April 21st and had a small bit to do with my lack of updates. I’m working on a few more things now so I’ll be back to blog about more goodies soon!

Email Newsletter

Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Thanks for the concern about PWs. As an ex-geek, I recall promoting good passwords to people with whom I worked. It was a difficult sale.

I recommended using a readily memorable phrase, extracting the initial letters from it, and substituting numerals and punctuation for some of those letters. There are lots of illustrations on the Web of how to do this. Perhaps it will help some users to create secure passwords.

That said, I realize I’m using a relatively less secure PW. I ought to update mine.

Good work! I remember once getting yelled at by customers that they needed any password at all to access their account details (incl credit cards!) and especially one that had so many rules on how to make a password. I don’t understand why people wanted their accounts to be so unsafe, and then whinge later if someone broke into their broadband (and actually got it turned off). *sigh* Anyway, smart thinking!

Nice idea, but it has many weaknesses. It does not consider the possibility of dictionary attacks – it considers “0123456789” to be a good password. In reality, a dictionary attack would break it within quite a short time (I think about 20000 attempts at max.)

Additionally, I do not think this much paranoia is necessary. A bruteforce attempt against a password not in a dictionary, consisting of 6 random lowercase characters, using 10 attepts per second (and 36000 failed login attempts per hour on one blog would probably alert the admin team!), running for 10 days 24/7, would break the password with a probability of 3%. However, this password is still considered “bad”. Even an 8-lowercase-letter password is considered bad. The same bruteforce attack, running for a whole year, would have a 0.15% chance of breaking the password!

If anyone wants to hack some blogs, he is going to do a simple dictionary attack, so nearly ANY password not in a password cracking dictionary (qwertz, 123456, asdf and similar things ARE in such dictionaries) will protect well enough. If anyone wants to hack exactly YOUR blog, he WILL infect your pc with a trojan and steal the password or sniff it from a network you use, and then even an ultra-secure password like f”gh&&sah/svSD13″bjh+§#gHW23= is not going to help you.

In my opinion, a simple dictionary test should be run against new passwords, and maybe a minimum length of 6 characters could be imposed. Together with effective server-side login delays (if wrong password entered more than 3 times, wait 5 seconds before telling the user if the password was wrong or right, and make sure he can not circumvent this by trying thousands of passwords in parallel), this should avoid any hacking attacks. It would be more interesting to allow users to limit admin menu access to https to avoid sending auth cookies or even passwords out in plain view and if there are failed login attempts since the last successfull login, the user should get a warning in red letters “n failed login attempts since last login” together with a option to view the IPs, and maybe a “last login: (date) (time)” display.

congratulations to you and ur family on your new son…tooooooooooooo sweet…and thx for all the wonderful updates u offer here…lookin forward to the password thing to be setup…be bless and enjoy your new baby… -g-

Congrats on the new baby. May he have a long and wonderful life.
About the password, I always wanted someone to tell me how good or bad my password was. Thanks.
Right now that line is just black, I guess I need to change the password to find out how good or bad it is.

I have to nod towards Jan’s idea. This is a blog, not a bank account. If you are putting that sensitive info on here, step back and ask why. People like Scoble may loose few hundred — near a thousand posts, but I doubt he would threaten to sue. I personally would loose little over 250 posts and 1200 comments, but I wouldn’t threaten to come after you guys. Yeah, I would be bummed to loose a few posts.

Congratulations first.
But I am agree with Jan, is dummy.
The easy rule for a strong password is: minimum 8 characters length and requires at least one number, one uppercase letter and one number. For example: w0rdpRe$$.
Congrats again!!!

Congrats on your son! I love the password strength meter. As a System Administrator I know how important strong passwords can be, thanks for providing this service. I’ve blogged on occasion about some of my experiences as a Sys Admin and trying to deal with people who want easy passwords, instead of secure passwords – not fun at all.

Great new feature! I am glad to see that password strength is something being supported in WP and WPMU.

I currently am finishing up my first year of teaching a basic computer class in a local college, and password strength is something that I really found to be a problem among the masses. I am so very glad to see this update in the great WP code!

For some unknown reason, I’m still using the password that was automatically generated when I created my blog account. According to the “Update Your Password” box, the password *that WordPress gave me* is only “Good”… and too short! Guess I should change it!

Thanks everyone for your kind comments about Adam! Mark told me about the “password is too short” bug and I fixed it last night so everything should work ok.
I’d like to add a dictionary check when you submit your password but I think the current measures will do for the time being!

Thanks for the informative article – and want to say congratulations on the birth of your beautiful child. Children are wonderful and precious – we all need to protect and nourish them, yet provide them with guidelines as they grow. It is hard to be a parent! The magical years to me, not that there isn’t reward as they grow older is from birth to about six years old. I have many fond recollections of those years with my son.
Wish the best for you and your child.

I think, a password is an “asmat,” a word used by a sorcerer to cheat other people, and this kind of cheating people by utilizing strange words has been used in African countries, especially in Ethiopia.